On 11/29/2011 12:59 AM, novice123 wrote:
> Dear All,
>
> During a risk assessment exercise, I realized that my backup admin does not
> encrypt data in backup tapes. He argues, it is not required as an adversary
> cannot recover/read data from the backup tape, assuming its stolen, if he
> does not have the corresponding catalog. He further adds that catalog is kept
> secure. We are using Veritas netbackup 6.5. I am unfamiliar with the
> technology, hence would want to know the following:
>
> a) If catalogs are secure, why should the software have a feature for
> encrypting data in the backup tape?
You can always import images from a tape. Takes a while. Its also
extractable even without NBU involved, esp if not multiplexed. This
isn't true.
I encrypt my backups AND catalogs. (Just make sure you have hard copy of
KMS keys in the safe). LTO4 hardware encyption isn't too much of a
performance hit for the piece of mind.
>
> b) If the argument is invalid, how can an adversary read/recover the data
> from the stolen backup tapes, even if he does not have the catalog. Please
> help in articulating the risk.
>
mt to position to each file, then tar.
or if you have NBU, import the tape.
_______________________________________________
Veritas-bu maillist - Veritas-bu AT mailman.eng.auburn DOT edu
http://mailman.eng.auburn.edu/mailman/listinfo/veritas-bu
|